Update the version of `bleach` that gets vendored into our package and remove dependency on the `six` library

[arcra]

While working on #6964 , TB was still not working for me with python 3.12 or 3.13.

I believe this is mostly just an issue with "local builds" (which is how I was testing it) because we specify to bazel that a specific version of some libraries should be used, e.g. here.

It might be the case that this would not be an issue once the pip package is built, and a user can install and upgrade the six dependency freely in their system. However, bleach started vendoring html5lib from v3.0, and removed the six dependency altogether in v6.0.

So I think it would still be a good idea to update this vendored dependency and avoid any dependency constraints with the six library.

I had originally filed this issue with title Make TB work with python 3.12 and 3.13 and a different description. Below is the original description of this issue:

---

While fixing #6964 , I learned that TB still doesn't work with python 3.12 or 3.13 after the fix. This is because we "vendor" a couple old dependencies (bleach and html5lib), which (I'm guessing) themselves either vendor or are restricted to work with an old version of the six library, and this old version does not work with 3.12 or 3.13. (Or perhaps we are also vendoring an old version of the six dependency somehow within our package. It's not entirely clear to me.)

bleach started vendoring html5lib from v3.0, and removed the six dependency altogether in v6.0.

I think we should try to update this vendored bleach dependency, and remove any dependencies on html5lib or six packages, and see if it works correctly.

There might be other things that depend on six, or other dependencies that themselves vendor or depend on an old version of six, so we'll probably need to play a bit of whack-a-mole to get this to work.

Note that some newer versions of six do work with python 3.12 and 3.13, as reported in this stack overflow and this mozilla bug report. So, if for some reason we can't update bleach to v6.0, we can try to update the underlying dependencies to make this work.

[Zamanhuseyinli]

Replacing TB will be a bit of a hassle, but if possible, simply using more up-to-date dependencies instead of html5lib could make it available in Python. However, there's little point in offering support that the vendor doesn't already provide. Therefore, since we're already designing a new library tree, it seems more logical to adapt the html5lib and six alternatives for TB. However, doing so would change the overall structure of the TB tree. So, we have two options: either completely redesign the library structure or play whack-a-mole with each Python release, trying to stay vendor-loyal.

[arcra]

I'm sorry, I didn't quite follow your comment, Zaman, but I think I might have somewhat good news.

I think the issue I had using python 3.12+ is only an issue for "local builds" (which is how I was testing that change, and is how our CI workflow tests it), because we specify to bazel that a specific version of these libraries should be used, e.g. here.

However, AFAIU, only bleach, html5lib and webencodings are "vendored" by us when the pip package is created, and six is required as a dependency separately.

So it might be the case that a user who installs the pip package could upgrade the version of six in their system, and it might work fine.

Having said that, I still think it would be good to update the bleach dependency and remove the explicit dependency on six that we have, not to mention, there's still some risk of this older version of bleach and html5 not being compatible with a newer version of six. Anyway, I'll try to go ahead with updating the version of bleach that gets vendored with our TB package.

As such, I'll update the title and description of this issue accordingly.

[Zamanhuseyinli]

Well, I think it's a good idea because even though the six package doesn't fully support 3.13, it can be adapted and you can use a different alternative instead of htm5lib if you want. Because unsupported software after certain standards may have problems with the "c-binding" Python interface. Even though cpp++17 is developed to fully support it, the Python "c-binding" interface is constantly updated. PEP CPYTHON DOCUMENTATION Therefore, you can find a better alternative instead of htm5lib or I can develop one if you want. It wouldn't be that hard to adapt it to the TB library structure anyway. If the "local building" is affected, then we can adapt the local environment structure directly to Python if you want or you can continue with html5lib but it's better to use an alternative directly rather than encountering cbinding problems. more logical.

[Zamanhuseyinli]

Sorry, I interpreted the word "bleach" differently. You mean Library Bleach. Yes, it makes more sense to do this. Bleach will not use those dependencies in new versions anyway.